Why HR professionals must review the GPDR this month

AT first glance, it doesn’t seem like the European Union’s General Data Protection Regulation (GDPR) will impact all parts of the business.

IT and operations divisions, for example, just collect a lot of data about customers, users, and hence, it’s obvious that they’ll be impacted by the GDPR – but human resources (HR)? It’s a division almost everyone feels is insulated from the new regulations coming into effect later this month.

Unfortunately, this isn’t true. In fact, the HR department is a data goldmine and has information of all sorts of employees and applicants, across ranks, which it ideally stores for years or even decades.

Here are five things specialists must pay attention to if they want to protect their business from liabilities and ensure their HR team complies with the GDPR:

Capturing and storing data is okay, provided you have consent

According to the GDPR, you can capture and store data so long as users provide “specific, informed and unambiguous” consent.

Also, you need to make it possible for people to withdraw their consent when they like. Consent, per the GDPR, isn’t permanent.

You can keep data, but not forever

According to the GDPR, organizations will only be able to retain data for as long as “necessary”. Although there isn’t a clear definition of what is necessary, it must definitely be a reasonable duration.

For example, information collected via web-based job application systems should ideally be deleted as soon as they’re declared unsuccessful, or at least within a year – according to best practices.

Data can only be used for the intended purpose

This one is probably the simplest. If you collect data for something, you can only use it for that purpose and nothing else.

If you’re collecting data to understand trends or patterns among employees to take leave based on their geographical location and their department or seniority in the organization, you’re going to have to tell your employees if you’re going to use that data for something else.

Although standard and enhanced Disclosure and Barring Service (DBS) checks will still be permitted under the GDPR, you won’t be able to conduct routine basic DBS checks on all employees, regardless of their role.

In fact, going further, the GDPR makes it unlawful for you to obtain consent from the individuals to justify such checks given the unequal bargaining positions of the respective parties.

You’ll need to encrypt all the sensitive personal information you carry

The law requires that all personal information is encrypted appropriately. For businesses communicating with employees via email, making sure only the right people have access to customer email addresses is important.

Further, HR professionals need to re-evaluate what they consider sensitive personal information and re-align their definition to the GDPR to avoid non-compliance.